Before we go into what the NetWatcher HIPAA Services provides let's review what you need to know as a small business (SMB)/healthcare provider about HIPAA compliance.
The privacy rule protects all “individually identifiable health information” stored or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI). This includes common demographic information such as name, street address, telephone number, date of birth, social security number, etc. PHI also includes past, present or future information about the individuals physical or mental health condition, payment status and provision of health care. ( more ). The Security Rule sets the standards for ensuring that only those who should have access to PHI will actually have access.
The Department of Health and Human Services (HHS) has done a great job of documenting how to comply with the Security Rule. You can find that documentation (here ).
The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing these standards and may conduct complaint investigations and compliance reviews. The penalties can be steep at $100 to $50,000 or more per violation with a $1,500,000 calendar year cap. State and regional governments may also impose separate fines in addition to the federal ones.
Some examples cases:
DECEMBER 10, 2014 Malware Infection Results in $150,000 HIPAA Fine
Malware on a personal computer is troubling enough, but when it comes to computers used by health care providers, the viruses can result in federal fines for patient privacy violations. According to the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR), this was a lesson recently learned by Anchorage Community Mental Health Services (ACMHS), which was fined $150,000 for not preventing malware from infecting its computers. The malicious programming breached the protected electronic health information of 2,743 individuals in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). According to an OCR news release, ACMHS adopted HHS security rule policies in 2005 but never followed them. The introduction of the malware into the ACMHS system was "the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software," according to an HHS/OCR bulletin (.pdf) . In addition to the $150,000 settlement amount, the resolution agreement (.pdf) between ACMHS and OCR includes a corrective action plan and requires ACMHS to report on the state of its compliance to OCR for a 2-year period.
NOVEMBER 12, 2014 Hackers swipe data of 60K in vendor HIPAA breach
'We are sorry for any inconvenience or concern that his may have caused you,' officials write four months later November 12, 2014. A state insurance plan subcontractor is at the center of a serious security incident after hackers gained three months of unfettered access to its computer system, compromising thousands of members' health records. What's more, despite discovering the HIPAA breach in April, it took officials some four months to notify those affected. The Dallas-based Onsite Health Diagnostics – a medical testing and screening company, which contracts with the state of Tennessee's wellness plan – notified 60,582 people that their protected health information was accessed and stored by an "unknown source." The breach affected members from the Tennessee's State Insurance Plan, Local Government Insurance Plan and Local Education Insurance plan.
To date, more than 41 million individuals have had their protected health information compromised in reportable HIPAA privacy and security breaches, according to data from the HHS Office for Civil Rights.
So how can NetWatcher's HIPAA Service help you with your HIPAA compliance? We specifically can help with these areas: